Eddy RubensMicrosoft Services Belgium

eID workshop - 24/06/2004

AgendaAgenda

Agenda is based on main e-Agenda is based on main e-functionalities of the eID cardfunctionalities of the eID card

IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization

IntroductionIntroductionCertificates and Certificates and SignaturesSignaturesWhat are certificates and signaturesWhat are certificates and signatures

Types of signaturesTypes of signaturesBinary blobs vs. XML basedBinary blobs vs. XML based.NET XAdES library.NET XAdES library

IntroductionIntroductionData captureData capture

Capture identity information from eID Capture identity information from eID cardcardInterface eID middleware is quite Interface eID middleware is quite technicaltechnical

Requires intensive studyRequires intensive studyC API with C structsC API with C structsReturn codesReturn codes

Requires deep technical profileRequires deep technical profileC/C++ knowledgeC/C++ knowledge

Interfacing with .NET not out-of-the-Interfacing with .NET not out-of-the-boxbox

IntroductionIntroductionData captureData capture

What have we done to assist?What have we done to assist?.NET wrapper around FedICT .NET wrapper around FedICT middlewaremiddleware

Easier to understand and useEasier to understand and useSimple OO interfaceSimple OO interfaceAdd reference to wrapper is enough to Add reference to wrapper is enough to startstart

Usable from any .NET language and Usable from any .NET language and VB6VB6

Can be exposed as COM componentCan be exposed as COM component

IntroductionIntroductionAuthentication & Authentication & AuthorizationAuthorizationWhat is Authentication and What is Authentication and

AuthorizationAuthorizationTypes of authenticationTypes of authentication

Windows logonWindows logonASP.NET siteASP.NET siteFederal PortalFederal Portal

Custom made vs. Partner SolutionCustom made vs. Partner Solution

AgendaAgenda

IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization

CertificatesCertificates

What is a X509 v3 certificate?What is a X509 v3 certificate?Digitally signed statementDigitally signed statementContains a public key and information of the Contains a public key and information of the ownerownerIs linked to private keyIs linked to private key

Private key is only accessible and usable by ownerPrivate key is only accessible and usable by owner

Where do they come from?Where do they come from?Issued by Certification Authority (CA)Issued by Certification Authority (CA)CA has responsibility for validating the requestCA has responsibility for validating the requestCA provides private keyCA provides private keyCA’s can delegate certificate issuing to CA’s can delegate certificate issuing to intermediate CA’sintermediate CA’s

What can they be used for?What can they be used for?Possible uses of certificate is specified on Possible uses of certificate is specified on certificatecertificateWe’ll focus here on signing and authenticationWe’ll focus here on signing and authentication

CertificatesCertificates

eID card contains certificateseID card contains certificatesSigning and authenticationSigning and authenticationRoot and intermediary CA’sRoot and intermediary CA’s

Tool to view certificates: MMCTool to view certificates: MMCSnap-in for Current UserSnap-in for Current UserSnap-in for Local MachineSnap-in for Local MachineSnap-in for Service AccountsSnap-in for Service Accounts

Registration eID certificates in Registration eID certificates in Windows certificate storeWindows certificate store

Demo registration certificatesDemo registration certificates

SignaturesSignatures

What is a digital signature?What is a digital signature?Proof that owner of private key Proof that owner of private key signed docsigned docSignature can be verified by receiverSignature can be verified by receiver

Signature typesSignature typesBinary blobs vs. XMLBinary blobs vs. XML

XMLDSIG and XAdESXMLDSIG and XAdES

SignaturesSignatures

ScenarioScenarioAlice sends document to BobAlice sends document to BobAlice wants to assure Bob that the Alice wants to assure Bob that the document is hersdocument is hers

SignaturesSignatures

One-way calculation of ‘Message One-way calculation of ‘Message Digest’Digest’Hash algorithmHash algorithmHighly unlikely someone else can Highly unlikely someone else can generate same digest from other generate same digest from other documentdocumentDigest is smallDigest is smallDigest Digest algorithm algorithm SHA1SHA1: 20 bytes: 20 bytes

HasHashh

MessaMessage ge

DigestDigest

SignaturesSignatures

Message digest is encrypted with Message digest is encrypted with Alice’s private keyAlice’s private key

MessaMessage ge

DigestDigest EncryEncryptpt

SignatuSignature re

Alice sends document and signature to Alice sends document and signature to BobBob

SignatuSignature re

PrivatPrivate keye key

SignaturesSignaturesBob receives document with signatureBob receives document with signature

Calculates message digest on Calculates message digest on documentdocument

HasHashh

MessaMessage ge

DigestDigest

Bob decrypts signature with Alice’s Bob decrypts signature with Alice’s public keypublic keyVerify both message digests are Verify both message digests are identicalidentical MessaMessa

ge ge DigestDigest

DecryDecryptptSignatuSignatu

re re

Public Public keykey

Signatures on Windows Signatures on Windows platformplatform

Using MS office (XP & 2003)Using MS office (XP & 2003)Word, Excel, PowerPoint, InfoPath Word, Excel, PowerPoint, InfoPath (Office 2003)(Office 2003)OutlookOutlook

XMLDSIGXMLDSIGUsing .NET classUsing .NET class

XAdESXAdESUsing .NET XAdES libraryUsing .NET XAdES library

Signing MS Office Signing MS Office documentsdocuments

Signing documentsSigning documentsDemo signature in WordDemo signature in Word

Show tampering by MalloryShow tampering by Mallory

Demo signature in ExcelDemo signature in ExcelDemo signature in InfoPathDemo signature in InfoPath

Show XMLShow XML

Signing mailSigning mail

ProblemProblemeID card doesn’t contain email addresseID card doesn’t contain email addressPatch registry neededPatch registry needed

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security][HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security]"SupressNameChecks"=dword:00000001"SupressNameChecks"=dword:00000001

Demo OutlookDemo Outlook

XML Digital SignaturesXML Digital SignaturesW3C standard for signatures: XMLDSIGW3C standard for signatures: XMLDSIG

XML basedXML basedW3C recommendationW3C recommendationhttp://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/

‘‘Human readable’ formatHuman readable’ formatSignatures before this standard were Signatures before this standard were binary blobsbinary blobs

Example binary signatures: signatures in WordExample binary signatures: signatures in WordExample XMLDSIG signatures: signatures in Example XMLDSIG signatures: signatures in InfoPathInfoPath

Existing tools can be usedExisting tools can be usedNotepad vs. BerviewerNotepad vs. Berviewer

Easier to understandEasier to understand

XMLDSIGXMLDSIG

Core standard for new XML standardsCore standard for new XML standardsSecurity Assertion Markup Language Security Assertion Markup Language (SAML)(SAML)

OASISOASISXML framework for exchanging XML framework for exchanging authentication and authorization informationauthentication and authorization information

XML Advanced Electronic Signatures XML Advanced Electronic Signatures (XAdES)(XAdES)

ETSIETSIXML format for Electronic Signatures XML format for Electronic Signatures satisfying the requirements defined in the satisfying the requirements defined in the European Directive for Electronic Signatures, European Directive for Electronic Signatures, and with long term validity.and with long term validity.

XMLDSIGXMLDSIG

What does it look likeWhat does it look like

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo><SignedInfo> <CanonicalizationMethod Algorithm="..." /><CanonicalizationMethod Algorithm="..." /> <SignatureMethod Algorithm="..." /><SignatureMethod Algorithm="..." /> <Reference URI="#data" Id="enveloped"><Reference URI="#data" Id="enveloped"> <DigestMethod Algorithm="..." /><DigestMethod Algorithm="..." /> <DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue><DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue> </Reference></Reference> </SignedInfo></SignedInfo> <SignatureValue>...SignatureValue><SignatureValue>...SignatureValue> <KeyInfo><KeyInfo> <X509Data><X509Data> <X509Certificate>...</X509Certificate><X509Certificate>...</X509Certificate> </X509Data></X509Data> </KeyInfo></KeyInfo> <Object Id="data">...</Object><Object Id="data">...</Object></Signature></Signature>

XMLDSIGXMLDSIG

Creating XMLDSIG signature Creating XMLDSIG signature with .NETwith .NET

Demo code sampleDemo code sample

XML Advanced Electronic XML Advanced Electronic SignaturesSignatures

Aka XAdESAka XAdESEuropean Telecommunication European Telecommunication Standards Institute (ETSI)Standards Institute (ETSI)Compliant with European Directive Compliant with European Directive 1999/93/EC on Electronic Signatures1999/93/EC on Electronic Signatureshttp://uri.etsi.org/01903/v1.1.1/http://uri.etsi.org/01903/v1.1.1/

Why XAdES ?Why XAdES ?

XAdES opens up compelling XAdES opens up compelling possibilitiespossibilities

New use cases beyond XMLDSIGNew use cases beyond XMLDSIGXAdES specification is compliant with XAdES specification is compliant with the European Directivethe European Directive

Why XAdES ?Why XAdES ?

Main XMLDSIG use caseMain XMLDSIG use caseShort lived e-commerce style sales Short lived e-commerce style sales transactionstransactions

Some common use cases for XAdESSome common use cases for XAdESCounter signaturesCounter signaturesNon-repudiationNon-repudiationLong-lived contractsLong-lived contracts

Why XAdES ?Why XAdES ?

Counter signaturesCounter signaturesSignature added to a document that has Signature added to a document that has already been signedalready been signed

To witness the first signatureTo witness the first signatureTo confirm an authorizationTo confirm an authorizationIn case of multiple stakeholdersIn case of multiple stakeholders

XMLDSIG doesn’t provide for counter XMLDSIG doesn’t provide for counter signing out of the boxsigning out of the box

Why XAdES ?Why XAdES ?

Non-repudiationNon-repudiation

A signs contract “I owe B 1000€, to be paid on 31/12/2004”

B receives and timestamps contract

A revokes certificate

B asks for the 1000€

A refuses to pay claiming that signature was forged

A & B meet in court: B can prove that signature was made at a time when A’s certificate wasn’t revoked

31/12/2004

timeline

Why XAdES ?Why XAdES ?

Signing contracts that have a ‘shelf-live’ of Signing contracts that have a ‘shelf-live’ of multiple yearsmultiple years

IssueIssueOver time weaknesses may occur in cryptographic Over time weaknesses may occur in cryptographic algorithms used to create ESalgorithms used to create ES

XAdES solutionXAdES solutionXAdES-A form: ArchiveTimeStamp elementXAdES-A form: ArchiveTimeStamp element

Can be nestedCan be nested

Verifier has task to add ArchiveTimeStame Verifier has task to add ArchiveTimeStame well before algorithm becomes well before algorithm becomes compromisedcompromised

Why a XAdES library for .NET Why a XAdES library for .NET ??

Creating applications that use XAdES Creating applications that use XAdES is a challengeis a challenge

XAdES technical specification is quite XAdES technical specification is quite detaileddetailed

70 printed pages70 printed pages

XAdES schema file (XAdES.XSD) is 19KBXAdES schema file (XAdES.XSD) is 19KBOver 120 different elementsOver 120 different elements

Why a XAdES library for .NET Why a XAdES library for .NET ??

Get a head start in XAdES Get a head start in XAdES developmentdevelopment

XAdES library eases developmentXAdES library eases developmentDevelopment from technical RFC style Development from technical RFC style documentation is not an every day job for documentation is not an every day job for most business solution developersmost business solution developers

Let you get results fasterLet you get results fasterBuilt-in checks can help you detect mistakes Built-in checks can help you detect mistakes earlierearlier

About XAdESAbout XAdES

XAdES extends XMLDSIGXAdES extends XMLDSIGXAdES uses extension mechanism of XAdES uses extension mechanism of XMLDSIGXMLDSIGA XAdES signature is a XMLDSIG A XAdES signature is a XMLDSIG signaturesignature

Signature (XMLDSIG)

SignedInfo(XMLDSIG)

SignatureValue

(XMLDSIG)

KeyInfo(XMLDSIG)

Object (XMLDSIG)

SignedProperties

UnsignedProperties

About XAdESAbout XAdES

XML structureXML structure<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI="#SignedPropertiesId“ /> </SignedInfo> <SignatureValue /> <KeyInfo /> <Object Id="XadesObjectId">

</Object></Signature>

<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"> <SignedProperties Id="SignedPropertiesId“ /> <UnsignedProperties /></QualifyingProperties>

XAdES .NET library XAdES .NET library architecturearchitecture

XAdES extends XMLDSIGXAdES extends XMLDSIG

XAdES library extends .NET XMLDSIG XAdES library extends .NET XMLDSIG implementationimplementationXadesSignedXml derives from XadesSignedXml derives from SignedXmlSignedXml

Backwards compatible with XMLDSIG Backwards compatible with XMLDSIG signaturessignaturesProperty SignatureStandardProperty SignatureStandard

XAdES .NET library XAdES .NET library architecturearchitecture

Serialization model same as in Serialization model same as in SignedXml classSignedXml class

GetXmlGetXmlFlatten the object model into XMLFlatten the object model into XML

LoadXmlLoadXmlHydrate object model from XMLHydrate object model from XML

XAdES schema validationXAdES schema validation

XAdES .NET library XAdES .NET library architecturearchitectureDotted notationDotted notation

XAdES XML elements are nested quite deepXAdES XML elements are nested quite deep<Object><Object>

<QualifyingProperties><QualifyingProperties>

<SignedProperties><SignedProperties>

<SignedSignatureProperties><SignedSignatureProperties>

<SignatureProductionPlace><SignatureProductionPlace>

<City>Brussels</City> <City>Brussels</City>

</SignatureProductionPlace></SignatureProductionPlace>

</SignedSignatureProperties></SignedSignatureProperties>

</SignedProperties></SignedProperties>

</QualifyingProperties></QualifyingProperties>

</Object></Object>

Automatic instantiation of nested object graphAutomatic instantiation of nested object graphEasy dotted notation with Intellisense assistanceEasy dotted notation with Intellisense assistance

xadesObject.QualifyingProperties.SignedSignatureProperties.SignaxadesObject.QualifyingProperties.SignedSignatureProperties.SignatureProductionPlace.City = “Brussels”;tureProductionPlace.City = “Brussels”;

Only “dirty” objects get serializedOnly “dirty” objects get serialized

Use cases revisitedUse cases revisited

Counter Signature sample codeCounter Signature sample code

XadesSignedXml newXadesSignedXml = new XadesSignedXml();XadesSignedXml newXadesSignedXml = new XadesSignedXml();XmlDocument signatureXmlDocument = new XmlDocument();XmlDocument signatureXmlDocument = new XmlDocument();signatureXmlDocument.PreserveWhitespace = true;signatureXmlDocument.PreserveWhitespace = true;

signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text);signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text);

newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement);newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement);unsignedSignatureProperties.CounterSignatureCollection.Add(unsignedSignatureProperties.CounterSignatureCollection.Add(

newXadesSignedXml);newXadesSignedXml);

DemoDemo

Deliverables .NET XAdES Deliverables .NET XAdES librarylibrary

Windows installer fileWindows installer fileMicrosoft.Xades.dllMicrosoft.Xades.dll

The xcopy-deployable libraryThe xcopy-deployable library

XAdESLibraryDocumentation.chmXAdESLibraryDocumentation.chmHelp fileHelp file

XadesTestClient.exeXadesTestClient.exeTest client showing most use casesTest client showing most use cases

Source code of library and test clientSource code of library and test client

Deliverables .NET XAdES Deliverables .NET XAdES librarylibrary

AgendaAgenda

IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization

Data captureData capture

Architecture of .NET wrapperArchitecture of .NET wrapper

Managed C++ classManaged C++ class

.NET .NET class class AddreAddre

ssss

.NET .NET class class IdentiIdenti

tyty

.NET class .NET class CardCard

Your clientYour client

FedICT eidlibFedICT eidlib

FedICT CSPFedICT CSP

Role of wrapperRole of wrapper

Managed C++ class hides complexityManaged C++ class hides complexityTurn C API and C structs into .NET OO Turn C API and C structs into .NET OO classclassTurn error codes and status information Turn error codes and status information into .NET exceptionsinto .NET exceptionsConversionsConversions

UTF8 into string UTF8 into string Byte array to picture Byte array to picture Byte array to .NET certificate classes Byte array to .NET certificate classes

Init and Exit functions into Init and Exit functions into constructor/destructorconstructor/destructor

Façade class Card makes use easyFaçade class Card makes use easy

Data capture demoData capture demo

Demo client codeDemo client code

AgendaAgenda

IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization

Authentication & Authentication & AuthorizationAuthorization

Custom written web authenticationCustom written web authenticationUsing eID certificateUsing eID certificate

End-to-end solutions from partners End-to-end solutions from partners existexist

Upcoming presentationsUpcoming presentations

Custom AuthenticationCustom AuthenticationCapture certificate information on serverCapture certificate information on server

Public Class LogonPagePublic Class LogonPage Inherits System.Web.UI.PageInherits System.Web.UI.Page Protected Overrides Sub Render(ByVal writer As Protected Overrides Sub Render(ByVal writer As

System.Web.UI.HtmlTextWriter)System.Web.UI.HtmlTextWriter) Dim clientCert As HttpClientCertificateDim clientCert As HttpClientCertificate Dim keys(), key As StringDim keys(), key As String clientCert = Request.ClientCertificateclientCert = Request.ClientCertificate

Response.Write(" IsPresent:" & clientCert.IsPresent)Response.Write(" IsPresent:" & clientCert.IsPresent) Response.Write(" Issuer:" & clientCert.Issuer & "<br>")Response.Write(" Issuer:" & clientCert.Issuer & "<br>") Response.Write(" IsValid:" & clientCert.IsValid & "<br>")Response.Write(" IsValid:" & clientCert.IsValid & "<br>") Dim x509Cert = New X509Certificate(clientCert.Certificate)Dim x509Cert = New X509Certificate(clientCert.Certificate) Response.Write("Hash:" & x509Cert.GetCertHashString())Response.Write("Hash:" & x509Cert.GetCertHashString()) MyBase.Render(writer)MyBase.Render(writer) End SubEnd SubEnd ClassEnd Class

Authentication using Authentication using FedICT Federal PortalFedICT Federal Portal

Authorization solution until eID is rolled Authorization solution until eID is rolled outoutTargeted at government clientsTargeted at government clients.NET solution.NET solution

Developed in collaboration with Cipal and Developed in collaboration with Cipal and FedICTFedICTUsable from ASP.NET and ASPUsable from ASP.NET and ASPDeliverablesDeliverables

Cookbook with source code available for Cookbook with source code available for downloaddownload

Federal Portal SSOFederal Portal SSO

www.belgium.be/usermgt

Solution architectureSolution architectureDefault.asp

Logonredirect.asp

Logon.asp

OK

iLoket pagina’s Error message

FEDICT

DOMAIN, TARGET, LANGUAGE

Cipal.Authentication.dll

SAML

Christophe Pagone

DemoDemo

Demo by Christophe Pagone - CipalDemo by Christophe Pagone - Cipal

Windows logon using eIDWindows logon using eID

Requires Graphical Identification and Requires Graphical Identification and Authentication dll (GINA)Authentication dll (GINA)Sample GINA code in the Platform Sample GINA code in the Platform SDK security samples SDK security samples http://msdn.microsoft.com/library/defhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/sault.asp?url=/library/en-us/security/security/winlogon_and_gina.aspecurity/winlogon_and_gina.aspMore information: More information: ginareqs@microsoft.com ginareqs@microsoft.com

Summary of deliverablesSummary of deliverables

.NET wrapper and samples for eID API.NET wrapper and samples for eID APIXAdES .NET library and XAdES .NET library and documentationdocumentation.NET cookbook with code for .NET cookbook with code for authentication service of Federal authentication service of Federal PortalPortal